Controlling Information Systems: Business Process Controls
In this chapter we learn how to analyze narratives and system flowcharts and begin to ANALYZE our documentation of business process for controls that exist or are missing. For missing controls, implementation should proceed next (assuming benefits of these controls exceed the exposure risk). For existing controls, we still need to determine if they are operating as expected, or if they need to be corrected, and lastly we need to determine if we have too many overlapping controls in place, thus creating possible costs that exceed the benefits.
The Control Matrix (definition):
A tool designed to assist you in analyzing a systems flowchart and related narrative. Also, it establishes the criteria to be used in evaluating the controls in a particular business process. The control matrix adds practical value to the control framework of internal controls.
Real-World Application: Control Matrix and the Sarbanes-Oxley Act
The following is from an article posted in Internal Auditing titled "Mending the holes in SOX : The Control Matrix as an Internal audit tool.
"The Sarbanes-Oxley Act has been difficult for many companies to implement. Section 404, which mandates managers of public companies to establish, document, and assess the effectiveness of their internal control structures, has been the most difficult provision to adopt...
"One of the better ways of documenting internal controls is the use of flowcharts. Flowcharting is a method of graphically illustrating the control structure, thus giving internal auditors a better understanding of operating processes that could lead to improvements. Most companies have already flowcharted their business processes. The major challenge has been the assessment of their controls. A control matrix can be used to accomplish this task....
"The control matrix is a tool designed to assist an internal auditor in assessing a systems flowchart by establishing the criteria for evaluating the operational and information controls in a particular business process. The control goals of the operations process are assessed for effectiveness, efficiency, and security. The control goals of the information process are assessed for input validity, input completeness, input accuracy, update completeness, and update accuracy. The control environment is not listed on the control matrix because it is better assessed at the company level....
Steps in Preparing the Control Matrix:Step 1: Specify Control Goals: The goals are listed across the top row of the matrix. The tailoring involves:
Identifying operations process goals: For this, you should ask yourself, "What are the purposes of the business process, which resources are utilized in executing the process, are the resources used efficiently, how secure are the resources, and what are the undesirable risks to which the operations are exposed?" This can be subdivided into the following:
Effectiveness Goals: Ensure the successful accomplishment of the goals set forth for the business process under consideration. These are identified on the control matrix as Goal A, Goal B, Goal C, and so forth.
Labled A-ZZZ
Efficiency Goals: Ensure that all resources used throughout the business process are being employed in the most productive manner. People and computers would always be considered in the efficiency assessments related to AIS. Others may be considered depending on the process/goal.
Security Goals: Ensure that entity resources are protected from loss, destruction, disclosure, copying, sale, or other misuse. With any business process, we are concerned with information that is added, changed, or deleted as a result of executing the process, as well as assets that are brought into or taken out of the organization as a result of the process, such as cash, inventory, and fixed assets.
Identifying information process goals: For this, you should ask yourself, "What information will be affected during the input and update processes, and what are the undesirable risks to which the information is exposed?" The input and update goals of the information process are as follows:
Input Goals: With respect to all business process data entering the system, ensure the following:
Input validity (IV)
An example of input validity is written approvals. By checking to see that approvals are present on all input documents, we reduce the possibility that invalid (unauthorized event data will be input.) This can be done through login screens to ensure only those authoizedcan input relevant data.
Input completeness (IC)
An example of input completeness is a procedure for rejected inputs. The rejection procedures (i.e., "Error routine not shown" annotations) are designed to ensure that erroneous data not accepted for processing are corrected and resubmitted for processing. Some systems may have feedback procdures that ask the user if the data is full and correctso they can double check themselves or notify them if particularfileds are left blank.
Input accuracy (IA)
An example of input validity is key verification. By having one data entry person key the data and a second person rekey that same data, we should detect the majority of keying errors
Update Goals: Update goals must consider all related information that will be affected in some manner by the input data, such as master file data and ledger data. In an online real time system or event driven architecture there are no update goals present. The purpose of update control goals of the information process is to ensure the the following of the business process input data:
Update Completeness (UC)
An example of update completeness is verifying all events were updated to the master data.
Update Accuracy (UA)
An example of update accuracy is verifying all events were updated correctly to the master data.
>>
>> Step 2: Recommend Control Plans: This step focuses on the nature and extent of control plans that should be in place to minimize undesirable risk exposures to an acceptable level of residual risk. It should list a set of recommended control plans that is appropriate for the process being analyzed. The list should include both plans related to the operations process (ex: the cash receipts process) and those related to the information processing methods (ex:data entry controls, batch controls). The following steps should be considered:
Examine the control matrix and see if there are any controls goals for which no control plan exists. If so, develop a control plan designed to minimize associated risks (control plans). Explain the nature and extent of the missing plan in the legend of the matrix. Repeat this procedure until all control goals on the matrix are addressed by one or more control plans. Label control plans P-1,P-2,P-3...
Analyze the systems flowchart for further risk exposures for which you would recommend adding additional controls or strengthening existing controls. Note any further additions on the controls matrix using the same procedures described for present or missing controls plans.
Review the flowchart and determine whether a control is present (P-) or missing (M-).
Generic Control Plans:
Input Plans (Manual Input) * See below for further explanation *
This data input plan is prone to data entry error due to it being manually entered.
Controls available for manual input include:
Online Prompting
Interactive feedback
Procedure to deal with input that has been rejected by the system
Preformatted screens to limit user error
Data entry verification
Control Plans for Data Entry Without Master Data - When technology of a system is appropriate, these controls should be incorporated into the list of recommended control plans:
Document Design - a control plan in which a source document is designed in such a way as to make it easier to prepare the document initially and later to input data from the document.
Written Approvals - take the form of a signature or initials on a document to indicate that that person has authorized the event (authentication).
Preformatted Screens - control the entry of data by defining the acceptable format of each data field. (Example: the screen might force users to key exactly nine alphabetic characters in one field and exactly five numerals in another field).
Online Prompting - requests user input or asks questions that the user must answer (Example: after entering all the input data for a particular customer sales order you might be presented with three options: accept the completed screen, edit the completed screen, reject the completed screen). By forcing you to stop and accept the order, online prompting is, in a sense, advising you to check your data entries before moving on. In addition, many systems provide context-sensitive help whereby the user is automatically provided with, or can ask for, descriptions of the data to be entered into each input field.
Controls related to manual keying--when evaluating controls related to manual keying of input documents, you should look for well-designed documents, written aprovals signifying the validity of the underlying event, preformatted screens that complement the input document, and online prompting.
Programmed Edit Checks - automatically performed by data entry programs upon entry of the input data. Programmed edits can highlight actual or potential input errors, and allow them to be corrected quickly and efficiently. The most common types of programmed edit checks are the following:
Reasonableness checks (limit checks) - test whether the contents (values) of the data entered fall within predetermined limits. This can be done for time entry because there may be a certain amount of hours that can be worked each day given the limits of hours of operation.
Document/record hash totals - reflect a summarization of any numeric data field within the input document or record, such as item numbers of quantities on a customer order. Toatling the numbers typically serves nopurpose other than a control. Calculated before and after entry of the document or record, this total can be used to determine that the applicable feilds were entered accuratly and completely.
Mathematical accuracy checks - compare calculations performed manually to those performed by the computer to determine if a document has been entered correctly. The computer can compare the data or the user can review the computer calculations and compare them to totals prepared before input.
Check digit verification - involves the inclusion of an extra digit - a check digit - in the identification number of entities such as customers and vendors.
Procedures for rejected inputs - designed to ensure that erroneous data - not accepted for processing - are corrected and resubmitted for processing. To make sure that the corrected input does not still contain errors, the corrected input data should undergo all routines through which the input was processed originally.
Keying corrections - how the clerk completes the procedures for rejected inputs, thus ensuring that the input is accurate.
Interactive feedback checks - controls in which the data entry program informs the user that the input has been accepted and recorded or rejected for processing. The program may flash a message on the screen telling a user that the input has been accepted or rejected for processing.
Record input - automatically stores the accurate, valid input data onto digital media for subsequent updating procedures in a timely manner with minimal use of resources. Automated proceudres done by the system are themost common form of time saving procudures for recording inputs to master data.
Key verification - takes place when documents are keyed by one individual and rekeyed by a second individual. The data entry software compares the second keystroking to the first keystroking. By re-keying inputsinput complteness and accuracy are verified.
Digital Signature - a technology that validates the identity of the sender and the integrity of an elctronic message. Digital Signature Software
Populate inputs with master data - the system user merely enteres an entity's identification code & the system then retrieves certain data about that entity form existing master data. This can be done through log in processes that verifies if the employee id exist in the master data for existing employees.
Compare input data with master data - we can determine the accuracy and validity of the input data.
Input/master data dependency checks - Test whether the contents of two or more data elements or fields on an event description bear the correct logical relationship.
Input/master data validity and accuracy checks - Test whether master data supports the validity and accuracy of the input.
*
** >>
>> Batch Control Plans: regulate information processing by calculating control totals at various points in a processing run and subsequently comparing these totals. When the various batch totals fail to agree, evidence exists that an event description may have been lost (completeness exposure), added (validity exposure), or changed (accuracy exposure). Once established, batch totals can be reconciled manually or the computer can reconcile them.
Input Plans (Batch Input)
This data input plan collects data and enters them as batches
This control focuses on the batch, which shows that there is a delay between the event and the reflection of the event
For batch control plans to be effective, they should ensure that
All documents are batched- batch totals should be established close to the time that the source documents are created or are received from external entities
All batches are submitted for processing- batch logs and transmittals help protect against the loss of entire batches
All batches are accepted by the computer
All differences disclosed by reconciliations are investigated and corrected on a timely basis.
Controls available for data input with Batches
Document/record count - minimal level required, not usually sufficient
Line counts - reduces possibility that items are added/omitted (improves validity, completeness & accuracy)
Dollar totals - Also reduces possibility that items are added/omitted (improves validity, completeness & accuracy)
Hash totals - sums on numeric data for all docs in the batch, such as invoice numbers. Hash totals are effective because they have no other purpose other than to serve as a control. Hash totals also determine if inputs have been added/deleted
Recommended steps for Batch control plans include:
Receive turnaround documents- which are used to capture and input a susequent event(examples including picking tickets, remittance advice stubs, and payroll timecards). This helps ensure input validity and accuracy by using a source document
Calculate batch totals- helps ensure input validity and completeness
Record picking tickets-The picking tickets are automatically recorded into the computer using a barcode. This process stores the accurate,valid input data onto digital media for subsequent updating procedures in a timely manner with ninimal use of resources.
Automated sequence check- Event data are checked in the below manner:
The range of serial numbers constituting the batch is entered.
Each individual, serially pre-numbered event data is entered.
The computer porgram sorts the event data into numerical order; checks the documents against the sequence number rang; and reports missing, duplicate, and out-of-range event data.
Reconciliation of batch totals - operates in the following manner
1 or more of the batch totals are established manually
The data entry program accumulates independent batch totals as individual events are scanned
The computer produces reports with the relevant control totals that are manually reconciled to prior established totals
The person who reconciles determines why the totals do not agree and makes corrections
Computer agreement of batch totals -
1+ of the batch totals are established manually.
The manually prepared total is entered into the computer and is written to the computer batch control totals data.
As individual event descriptions are entered, a computer program accumulates independent batch totals and compares these totals to the ones propared manually and entered at the start of the processing
The computer prepares a report, which usally contains details of each batch, together with an indication of whether the totals agreed or disagreed. Batches that do not balance are normally rejected, and discrepancies are manually investigated.
Record shipments - automatic recording stores the accurate, valid input data onto digital media in a timely manner with minimal used of resources
Reconcile input and output batch totals(agreement of run-to-run totals) - totals prepared before a computer process has begun are compared (manually or by computer) to totals prepared at the completion of the computer process.
Compare picking tickets and packing slips- ensures that all picking tickets are linked to a packing slip, and that these items match.
Edit Input Plans
Resolve Errors Plans
A procedure for rejected inputs has to do with input completeness: The rejection procedures (i.e., "Error routine not shown" annotations) are designed to ensure that erroneous data not accepted for processing are corrected and resubmitted for processing.
Correct Errors/Input Plans
A procedure to key corrections has to do with input accuracy: This step completes the rejection procedures (i.e., "Error routine not shown" annotations) by ensuring that the corrections are submitted for processing
Record Input Plans
An example of a record input plan automatic recording of input event data is fast and reliable.
Effectiveness goal, efficient employment of resources. Can be completed quickly and with less effort.
Security goal- can only access the input document no the actual resources.
Input accuracy-legible so less errors occur.
***
> >> >>>
2. Written approval
input validity-makes sure the right person puts the right info in
***
> >> >>>
>>>
3. preformatted screens
effective goal-structure = efficiency
accuracy-can only put in certain places and must be filled out completely
>>>
> >> >>>
>>>
4. Online prompting
effective/efficient-you always know where you need to go next.
Accuracy-reduce errors
>>>
> >> >>>
>>>
5. programmed edit checks
effective/efficient-you don’t have to take the time to look for errors.
Accuracy-obvious
>>>
> >> >>>
>>>
6. procedures for rejected inputs
input completeness-designed to ensure that erroneous data not accepted are corrected
>>>
> >> >>>
>>>
7. Key corrections
input accuracy-this step completes rejection procedures by ensuring that the corrections are submitted for processing.
>>>
> >> >>>
>>>
8. record input
effective/efficient-automatic recording is faster.
>>>
> >> >>>
>>>
9. interactive feedback checks
input completeness-it tells user that everything is good.
>>>
> >> >>>
>>>
10. key verification
input accuracy-two people key the same info will be less errors.
>>>
> >> >>>
>>>
11. enter data close to the originating source.
Effective/efficient-when you do things close together it goes faster. You retain some information in your memory or just familiar.
Input completeness-info is taken from source so less is missed.
Input accuracy-because familiarity, more accurate.
>>>
> >> >>>
>>>
12. digital signature
security-obvious
input validity-only the right guy can put it in.
input accuracy-detects things that have been changed and by whom.
>>>
> >> >>>
>>>
13. populate input with master data
effective/efficient-automatic anything is faster. Fewer keystrokes.
Input validity-if you access the master data with the proper code you get the right information that will help you do the right process.
Input accuracy-fewer keystrokes
>>>
> >> >>>
>>>
14. compare input data with master data
effective-quicker if errors are found sooner
input accuracy-make sure everything is right
>>>
> >> >>>
>>>
15. receive turnaround documents
effective/efficient-by reducing the amount of data that must be put in to record shipment we improve speed
input validity-documents printed in different area so you must assume that they are good.
Input accuracy-two people looking = less errors
>>>
> >> >>>
>>>
16. calculate batch totals
input validity/completeness-they come from legitimate documents so we ensure they are the right numbers and that they are complete.
They don’t take care of accuracy as that is done in reconciliation
>>>
> >> >>>
>>>
17. record picking tickets
effective/efficient-bar code is fast.
Input validity-printed somewhere else it must be good
>>>
> >> >>>
>>>
18. manually reconcile batch totals
input validity/completeness/accuracy
this should be done everywhere in my opinion.
If batch totals agree it ensures that all prior steps are correct, complete, and valid.
>>>
> >> >>>
>>>
19. compare picking ticket with packing slip
effective-easier to check that looking at individual stuff in box.
Security/validity- by matching we reduce possibility that invalid sales event has been recorded. This makes sure we don’t give people stuff they won’t pay for
Input completeness/accuracy Update completeness/accuracy-all go together. We are checking a document against a computer printout. If correct then everything in the computer is correct.
>>>
> >> >>>
>>>
20. automated sequence checks
input validity/completeness-by comparing an expected sequence of documents to those actually input, you can see if things happened more than once that shouldn’t have or if a number is missing. (the stars on you bank statement when checks are out of order)
>>>
> >> >>>
21. computer agreement of batch totals.
Effective/efficient-using a computer is always faster.
Input validity/complete/accuracy-the right stuff has been used. All the documents have been used and all that was put in is correct. ----
>
>
>
>> >
>>
>
>>>
>>>> >
>>>>
>
>
>
>>>>>
>>>>>>> An Example of a Control Matrix: Matrix Mapping
Data encryption- a process that employs mathmatical algorithms and encryption keys to encode data so that it is unintelligible to the human eye and therefore useless to those who should not have access to it. It is used in situations where the data is of such a sensitive nature that we want to perserve the privacy and confidentiality.
Example: Caesar cipher - a simple, one-for-one letter substitution system. This is very oversimplified and today's data encryption must befar more complex and sophisticated to serve a purpose to the business owner using it.
>> >>> >>>> >>>>>> >>>>>>> >>>>>>>>
Public-key cryptography- employs a pair of matched keys for eah system user, one private and one public.
>
>>
>>
>>
***
>>>>
>> >>> >>>>
Wrong and right formats
The format most people think of first when asked to map internal controls to risks is the obvious one: a list of risks, with controls written against each risk to show the risk is covered. The layout is some variation on the one below, with other columns added for extra information and cross referencing:
> >> >>> >>>>
|| Risk/control objective || Controls ||
|| Risk A || Controls addressing risk A ||
|| Risk B || Controls addressing risk B ||
|| Risk C || Controls addressing risk C ||
|| Risk D || Controls addressing risk D ||
|| etc || etc ||
> >> >>> >>>>
At first glance this seems sensible and there is no obvious objection in principle. However, this is a disastrous choice. If the format your company uses, or plans to use, is like this then read on.
A vastly superior format is to list controls down the left hand column, and risks across the column headings, then mark off where controls address risks within a matrix of small cells, like this:
> >> >>> >>>>
|| Control || Risk A || Risk B || Risk C || Risk D || etc ||
|| Control 1 || || 1 || 1 || || ||
|| Control 2 || || || 1 || || 1 ||
|| Control 3 || 1 || || || || 1 ||
|| Control 4 || || || 1 || 1 || 1 ||
|| etc || || || || || ||
> >> >>> >>>>
In this example, Risk A is covered by Control 3 only. Risk B is covered by Control 1 only. Risk C is covered by Controls 1, 2, and 4. And so on.
At first glance this seems unpromising. Surely there will be lots of wasted space? Won't the column headings be difficult to read? What if there are too many risks to fit across the page?
All these are minor issues whose impact can be minimised, and they are insignificant next to the hidden drawbacks of the more obvious approach. The next section looks in more detail and the advantages and disadvantages of each type.
Controlling Information Systems: Business Process Controls
In this chapter we learn how to analyze narratives and system flowcharts and begin to ANALYZE our documentation of business process for controls that exist or are missing. For missing controls, implementation should proceed next (assuming benefits of these controls exceed the exposure risk). For existing controls, we still need to determine if they are operating as expected, or if they need to be corrected, and lastly we need to determine if we have too many overlapping controls in place, thus creating possible costs that exceed the benefits.
The Control Matrix (definition):
Sample Control Matrix:
=
=
Real-World Application: Control Matrix and the Sarbanes-Oxley Act
The following is from an article posted in Internal Auditing titled "Mending the holes in SOX : The Control Matrix as an Internal audit tool."The Sarbanes-Oxley Act has been difficult for many companies to implement. Section 404, which mandates managers of public companies to establish, document, and assess the effectiveness of their internal control structures, has been the most difficult provision to adopt...
"One of the better ways of documenting internal controls is the use of flowcharts. Flowcharting is a method of graphically illustrating the control structure, thus giving internal auditors a better understanding of operating processes that could lead to improvements. Most companies have already flowcharted their business processes. The major challenge has been the assessment of their controls. A control matrix can be used to accomplish this task....
"The control matrix is a tool designed to assist an internal auditor in assessing a systems flowchart by establishing the criteria for evaluating the operational and information controls in a particular business process. The control goals of the operations process are assessed for effectiveness, efficiency, and security. The control goals of the information process are assessed for input validity, input completeness, input accuracy, update completeness, and update accuracy. The control environment is not listed on the control matrix because it is better assessed at the company level....
Steps in Preparing the Control Matrix:Step 1: Specify Control Goals: The goals are listed across the top row of the matrix. The tailoring involves:
- Update Goals: Update goals must consider all related information that will be affected in some manner by the input data, such as master file data and ledger data. In an online real time system or event driven architecture there are no update goals present. The purpose of update control goals of the information process is to ensure the the following of the business process input data:
- Update Completeness (UC)
- An example of update completeness is verifying all events were updated to the master data.
- Update Accuracy (UA)
- An example of update accuracy is verifying all events were updated correctly to the master data.
>>>>
Step 2: Recommend Control Plans: This step focuses on the nature and extent of control plans that should be in place to minimize undesirable risk exposures to an acceptable level of residual risk. It should list a set of recommended control plans that is appropriate for the process being analyzed. The list should include both plans related to the operations process (ex: the cash receipts process) and those related to the information processing methods (ex:data entry controls, batch controls). The following steps should be considered:
Generic Control Plans:
- Procedures for rejected inputs - designed to ensure that erroneous data - not accepted for processing - are corrected and resubmitted for processing. To make sure that the corrected input does not still contain errors, the corrected input data should undergo all routines through which the input was processed originally.
- Keying corrections - how the clerk completes the procedures for rejected inputs, thus ensuring that the input is accurate.
- Interactive feedback checks - controls in which the data entry program informs the user that the input has been accepted and recorded or rejected for processing. The program may flash a message on the screen telling a user that the input has been accepted or rejected for processing.
- Record input - automatically stores the accurate, valid input data onto digital media for subsequent updating procedures in a timely manner with minimal use of resources. Automated proceudres done by the system are themost common form of time saving procudures for recording inputs to master data.
- Key verification - takes place when documents are keyed by one individual and rekeyed by a second individual. The data entry software compares the second keystroking to the first keystroking. By re-keying inputsinput complteness and accuracy are verified.
- Digital Signature - a technology that validates the identity of the sender and the integrity of an elctronic message. Digital Signature Software
- Populate inputs with master data - the system user merely enteres an entity's identification code & the system then retrieves certain data about that entity form existing master data. This can be done through log in processes that verifies if the employee id exist in the master data for existing employees.
- Compare input data with master data - we can determine the accuracy and validity of the input data.
- Input/master data dependency checks - Test whether the contents of two or more data elements or fields on an event description bear the correct logical relationship.
- Input/master data validity and accuracy checks - Test whether master data supports the validity and accuracy of the input.
*** >>
- >> Batch Control Plans: regulate information processing by calculating control totals at various points in a processing run and subsequently comparing these totals. When the various batch totals fail to agree, evidence exists that an event description may have been lost (completeness exposure), added (validity exposure), or changed (accuracy exposure). Once established, batch totals can be reconciled manually or the computer can reconcile them.
- Input Plans (Batch Input)
- This data input plan collects data and enters them as batches
- This control focuses on the batch, which shows that there is a delay between the event and the reflection of the event
- For batch control plans to be effective, they should ensure that
- All documents are batched- batch totals should be established close to the time that the source documents are created or are received from external entities
- All batches are submitted for processing- batch logs and transmittals help protect against the loss of entire batches
- All batches are accepted by the computer
- All differences disclosed by reconciliations are investigated and corrected on a timely basis.
- Controls available for data input with Batches
- Document/record count - minimal level required, not usually sufficient
- Line counts - reduces possibility that items are added/omitted (improves validity, completeness & accuracy)
- Dollar totals - Also reduces possibility that items are added/omitted (improves validity, completeness & accuracy)
- Hash totals - sums on numeric data for all docs in the batch, such as invoice numbers. Hash totals are effective because they have no other purpose other than to serve as a control. Hash totals also determine if inputs have been added/deleted
- Recommended steps for Batch control plans include:
- Receive turnaround documents- which are used to capture and input a susequent event(examples including picking tickets, remittance advice stubs, and payroll timecards). This helps ensure input validity and accuracy by using a source document
- Calculate batch totals- helps ensure input validity and completeness
- Record picking tickets-The picking tickets are automatically recorded into the computer using a barcode. This process stores the accurate,valid input data onto digital media for subsequent updating procedures in a timely manner with ninimal use of resources.
- Automated sequence check - Event data are checked in the below manner:
- The range of serial numbers constituting the batch is entered.
- Each individual, serially pre-numbered event data is entered.
- The computer porgram sorts the event data into numerical order; checks the documents against the sequence number rang; and reports missing, duplicate, and out-of-range event data.
- Reconciliation of batch totals - operates in the following manner
- 1 or more of the batch totals are established manually
- The data entry program accumulates independent batch totals as individual events are scanned
- The computer produces reports with the relevant control totals that are manually reconciled to prior established totals
- The person who reconciles determines why the totals do not agree and makes corrections
- Computer agreement of batch totals -
- 1+ of the batch totals are established manually.
- The manually prepared total is entered into the computer and is written to the computer batch control totals data.
- As individual event descriptions are entered, a computer program accumulates independent batch totals and compares these totals to the ones propared manually and entered at the start of the processing
- The computer prepares a report, which usally contains details of each batch, together with an indication of whether the totals agreed or disagreed. Batches that do not balance are normally rejected, and discrepancies are manually investigated.
- Record shipments - automatic recording stores the accurate, valid input data onto digital media in a timely manner with minimal used of resources
- Reconcile input and output batch totals (agreement of run-to-run totals) - totals prepared before a computer process has begun are compared (manually or by computer) to totals prepared at the completion of the computer process.
- Compare picking tickets and packing slips- ensures that all picking tickets are linked to a packing slip, and that these items match.
- Edit Input Plans
- Resolve Errors Plans
- A procedure for rejected inputs has to do with input completeness: The rejection procedures (i.e., "Error routine not shown" annotations) are designed to ensure that erroneous data not accepted for processing are corrected and resubmitted for processing.
- Correct Errors/Input Plans
- A procedure to key corrections has to do with input accuracy: This step completes the rejection procedures (i.e., "Error routine not shown" annotations) by ensuring that the corrections are submitted for processing
- Record Input Plans
- An example of a record input plan automatic recording of input event data is fast and reliable.
- Effectiveness goal, efficient employment of resources. Can be completed quickly and with less effort.
- Security goal- can only access the input document no the actual resources.
- Input accuracy-legible so less errors occur.
***> >> >>>
- 2. Written approval
- input validity-makes sure the right person puts the right info in
***> >> >>>
- >>>
- 3. preformatted screens
- effective goal-structure = efficiency
- accuracy-can only put in certain places and must be filled out completely
>>>> >> >>>
- >>>
- 4. Online prompting
- effective/efficient-you always know where you need to go next.
- Accuracy-reduce errors
>>>> >> >>>
- >>>
- 5. programmed edit checks
- effective/efficient-you don’t have to take the time to look for errors.
- Accuracy-obvious
>>>> >> >>>
- >>>
- 6. procedures for rejected inputs
- input completeness-designed to ensure that erroneous data not accepted are corrected
>>>> >> >>>
- >>>
- 7. Key corrections
- input accuracy-this step completes rejection procedures by ensuring that the corrections are submitted for processing.
>>>> >> >>>
- >>>
- 8. record input
- effective/efficient-automatic recording is faster.
>>>> >> >>>
- >>>
- 9. interactive feedback checks
- input completeness-it tells user that everything is good.
>>>> >> >>>
- >>>
- 10. key verification
- input accuracy-two people key the same info will be less errors.
>>>> >> >>>
- >>>
- 11. enter data close to the originating source.
- Effective/efficient-when you do things close together it goes faster. You retain some information in your memory or just familiar.
- Input completeness-info is taken from source so less is missed.
- Input accuracy-because familiarity, more accurate.
>>>> >> >>>
- >>>
- 12. digital signature
- security-obvious
- input validity-only the right guy can put it in.
- input accuracy-detects things that have been changed and by whom.
>>>> >> >>>
- >>>
- 13. populate input with master data
- effective/efficient-automatic anything is faster. Fewer keystrokes.
- Input validity-if you access the master data with the proper code you get the right information that will help you do the right process.
- Input accuracy-fewer keystrokes
>>>> >> >>>
- >>>
- 14. compare input data with master data
- effective-quicker if errors are found sooner
- input accuracy-make sure everything is right
>>>> >> >>>
- >>>
- 15. receive turnaround documents
- effective/efficient-by reducing the amount of data that must be put in to record shipment we improve speed
- input validity-documents printed in different area so you must assume that they are good.
- Input accuracy-two people looking = less errors
>>>> >> >>>
- >>>
- 16. calculate batch totals
- input validity/completeness-they come from legitimate documents so we ensure they are the right numbers and that they are complete.
- They don’t take care of accuracy as that is done in reconciliation
>>>> >> >>>
- >>>
- 17. record picking tickets
- effective/efficient-bar code is fast.
- Input validity-printed somewhere else it must be good
>>>> >> >>>
- >>>
- 18. manually reconcile batch totals
- input validity/completeness/accuracy
- this should be done everywhere in my opinion.
- If batch totals agree it ensures that all prior steps are correct, complete, and valid.
>>>> >> >>>
- >>>
- 19. compare picking ticket with packing slip
- effective-easier to check that looking at individual stuff in box.
- Security/validity- by matching we reduce possibility that invalid sales event has been recorded. This makes sure we don’t give people stuff they won’t pay for
- Input completeness/accuracy Update completeness/accuracy-all go together. We are checking a document against a computer printout. If correct then everything in the computer is correct.
>>>> >> >>>
- >>>
- 20. automated sequence checks
- input validity/completeness-by comparing an expected sequence of documents to those actually input, you can see if things happened more than once that shouldn’t have or if a number is missing. (the stars on you bank statement when checks are out of order)
>>>> >> >>>
>
- >
>>> >
>>
- >
>>>>>>> >
>>>>
- >
- >
- >
>>>>>>>>>>>> An Example of a Control Matrix: Matrix Mapping
- >
>>>>>>>>>>>>>>>> >
>>>>>>>>>
- || ||
>>>>>>>>>>>> >> >>> >>>> >>>>> >>>>>>> >>>>>>>>> >>>>>>>>>>>
>
>
>
>
*
>
*
>
**
- >>
**> >>
- >>
*> >>>
*
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>>
** >>>
- || || || ||
>>
>
>
>
>
*
>
*
>
**
- >>
**>>>
- >> >>>
>>>>>>>
- >> >>> >>>>
>>>>> >> >>> >>>>
> >> >>> >>>>
>>>>>> Appendix A:
- >> >>> >>>> >>>>>> >>>>>>> >>>>>>>>
- Public-key cryptography- employs a pair of matched keys for eah system user, one private and one public.
>>>
- >>
>>***
>>>>
> >> >>> >>>>
> >> >>> >>>>
> >> >>> >>>>
> >> >>> >>>>